chore: Add Renovate config for SHA-pinned GitHub Actions

[devin-ai-integration]

Summary

Adds a renovate.json that extends the shared workos/renovate-config preset, scoped to the github-actions manager only. Activates automated maintenance of the SHA-pinned GitHub Actions in this repo without changing how any other dependencies are managed.

Behavior gained:

• Automatic SHA pinning of any newly-added GitHub Actions via helpers:pinGitHubActionDigests.
• 7-day cooldown on all GitHub Actions updates (minimumReleaseAge: "7 days" + minimumReleaseAgeBehaviour: "timestamp-required").
• Grouped, automerged minor/patch/digest GitHub Actions updates after CI passes.
• Manual review for major version bumps.

enabledManagers: ["github-actions"] keeps Renovate out of any other ecosystems — adjust later if you want it broader.

The shared preset lives at https://github.com/workos/renovate-config and any policy change is a single edit there that propagates to every consuming repo.

Note: this repo is itself a published GitHub Action, so getting the meta-actions it consumes onto a managed cooldown is doubly relevant.

Refs SECENG-299.

Review & Testing Checklist for Human

• Confirm the Mend Renovate GitHub App is installed on this repo at https://developer.mend.io/github/workos. Without it, this file is inert.
• Optional: validate the JSON with npx --yes --package renovate -- renovate-config-validator renovate.json.
• Once Mend processes the repo, the first Renovate PR should appear with grouped GitHub Actions updates respecting the 7-day cooldown.

Notes

Part of the rollout for SECENG-299 "Implement Dependency Management for GitHub Workflow SHA pins". Companion PRs are being opened in the rest of the public SDKs and adjacent repos.

Link to Devin session: https://app.devin.ai/sessions/337e586a7c3e40ce8da2d048b402e6f5

[devin-ai-integration]

Original prompt from will.porter

'Implement Dependency Management for GitHub Workflow SHA pins' (SECENG-299)

User instruction: @devin lets consider ways to ease the pain of updating the sha pins. Dependabot or renovate configs may be a valid solution. Note that we will want some kind of feature such as minimumReleaseAge to prevent us from adopting workflows that are less than 7 days old. Please present options with pros and cons before implementing anything

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[linear-code]

SECENG-299 Implement Dependency Management for GitHub Workflow SHA pins

[coderabbitai]

Warning

Rate limit exceeded

@devin-ai-integration[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 38 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e2a0fdff-c04d-4afb-907f-60b85357ba8c

📥 Commits

Reviewing files that changed from the base of the PR and between b0588c7 and 9ab959d.

📒 Files selected for processing (1)

• renovate.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/seceng-299-renovate-config

---

_{Review rate limit: 0/5 reviews remaining, refill in 6 minutes and 38 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a renovate.json that opts the repo into the shared workos/renovate-config preset, restricted to the github-actions manager. The config is minimal and correct — it will enable automated SHA-pinning and grouped minor/patch automerge for GitHub Actions once the Mend Renovate App is installed on the repo.

Confidence Score: 5/5

Safe to merge — adds only a Renovate config file with no runtime impact.

Single config file addition with valid JSON, correct schema reference, and a well-scoped manager restriction. No logic, security, or runtime concerns.

No files require special attention.

Important Files Changed

Filename	Overview
renovate.json	Adds minimal Renovate config extending the shared workos/renovate-config preset, scoped to github-actions manager only; no issues found.

_{Reviews (1): Last reviewed commit: "chore: Add Renovate config for SHA-pinne..." | Re-trigger Greptile}